China’s Data Security Law (数据安全法, Shùjù ānquán fǎ, DSL) has reshaped how foreign and local companies must handle “important data” and “core data” within China. If your business moves operational, customer, or analytics data across borders—or even if you just store data in China—understanding DSL’s classifications, triggers for national security review, transfer restrictions, and penalties is not optional. This guide breaks down practical compliance steps, what triggers regulatory scrutiny, and how to avoid the costly mistakes that have tripped up even seasoned multinationals.
Key Takeaways:
- How “important data” and “core data” are defined and classified under the DSL
- What types of business activities trigger a national security review
- What restrictions apply to data transactions and cross-border transfers
- Penalties for non-compliance, including recent changes to fine structures
- A practical self-assessment checklist for enterprise DSL compliance
Data Classification under the DSL
The DSL and authoritative commentary (Wikipedia, Securiti, Skadden) only describe two main regulated categories: 'important data' and 'core data.' 'Ordinary data' is not a formal statutory category but is a practical term for data not falling into the other two. The law does not explicitly define three categories in its text.
This classification directly affects your compliance burden and risk exposure.1. Ordinary Data (普通数据, pǔtōng shùjù)
This is data not designated as “important” or “core.” It is subject to basic data management and security requirements, but generally not to localization or export controls. Most routine business data falls into this category.
2. Important Data (重要数据, zhòngyào shùjù)
Defined by the DSL as data “that, once tampered with, destroyed, leaked or illegally obtained or used, may endanger national economic operations, social stability, public health and safety, or important public interests.” Examples include:
- Large-scale financial transaction records
- Critical supply chain data
- Industrial production and logistics data
- Population movement or health statistics
Sectoral regulators in China periodically publish industry-specific catalogues of “important data,” but these are often broad and subject to updates. There is, as of now, no unified catalogue, which creates uncertainty for multinationals (Securiti).
3. Core Data (核心数据, héxīn shùjù)
This is the highest-risk category and includes data “concerning national security, the lifeline of the national economy, important aspects of people’s livelihood, and major public interests.”
The definition is accurate per Wikipedia and Securiti, but the statement 'unauthorized handling can trigger criminal liability' should be softened to 'may trigger criminal liability,' as criminal liability depends on the nature and severity of the violation.
Core data is broadly defined and interpreted flexibly by regulators (Wikipedia).| Data Category | Definition | Typical Examples | Key Requirements | |||
|---|---|---|---|---|---|---|
| Ordinary Data 普通数据 | Not classified as important or core | General HR records, marketing analytics | Basic security, no localization/export controls | Not classified as important or core | General HR records, marketing analytics | Basic security, no localization/export controls |
| Important Data 重要数据 | Data with potential to endanger economy, society, or public interests if compromised | Supply chain, financial, infrastructure data | Enhanced security; export controls; sectoral review | |||
| Core Data 核心数据 | Data critical to national security, economy, public welfare | Strategic infrastructure, nationwide health data | Strictest controls; localization; criminal penalties for violations |
For more context, refer to the full law text and sectoral guidance: Data Security Law (Wikipedia).
National Security Review Triggers
The DSL and related regulations (especially Article 24 and 25) require a national security review (国家安全审查, guójiā ānquán shěnchá) for data activities that may “affect or endanger national security.” The review system is intentionally broad—if you process, transfer, or sell data that is or could be classified as “important” or “core,” you are at risk of triggering a review.
Trigger Scenarios
- Cross-border data transfer of important or core data by a Critical Information Infrastructure Operator (CII, 关键信息基础设施运营者, guānjiàn xìnxī jīchǔ shèshī yùnyíng zhě)
- Sale or provision of important/core data to foreign entities or individuals
- Mergers, acquisitions, or reorganizations that may result in foreign control over Chinese data assets
- Requests from foreign law enforcement to access data stored in China
According to Skadden, the review focuses on risks to “national security, public interest, or the legitimate rights and interests of citizens and organizations.” The process is initiated by sector regulators or the Cyberspace Administration of China (CAC).
Review Process Overview
- Self-assessment by the data processor (required before initiating certain data transfers or transactions)
- Submission of materials to the relevant authority (often the CAC or industry regulator)
- Regulatory review and risk assessment
- Approval, conditional approval, or rejection; remedial measures may be required
Reviews are opaque, timelines are unpredictable, and outcomes can hinge on political and sectoral sensitivities. Expect scrutiny to be especially high in sectors like finance, healthcare, logistics, and communications.
Data Transaction Regulations and Cross-Border Transfers
The DSL, in conjunction with the Cybersecurity Law (CSL) and Personal Information Protection Law (PIPL), imposes strict controls on data transactions—especially those involving cross-border transfers or third-party sales. Key provisions include:
Cross-Border Data Transfer
- Important data and core data must undergo a security assessment before export (Wikipedia).
- Data localization: Core data must be stored in China unless specifically authorized to be transferred abroad.
- Prohibition on complying with foreign law enforcement/judicial requests for data without Chinese government approval (DSL Article 36).
- Sectoral catalogues may add additional restrictions, especially for automotive, finance, and health data.
Data Transaction and Sale
- Sale or provision of important/core data to foreign entities requires security review and, in some cases, explicit government approval.
- Transactions involving data that could “affect or endanger national security or the public interest” are strictly regulated (DSL Article 31).
| Scenario | Requirement | Authority |
|---|---|---|
| Cross-border transfer of important data | Security assessment required before transfer | CAC/sector regulator |
| Export of core data | Generally prohibited; exceptions only with explicit approval | CAC/sector regulator |
| Sale of important/core data to foreign entity | National security review required | CAC/sector regulator |
| Responding to foreign law enforcement request | Must obtain approval from relevant Chinese authorities | CAC/sector regulator |
For more details on cross-border data flows and compliance, see the analysis at Skadden and Conventus Law.
Penalties and Enforcement
Enforcement of the DSL is rapidly intensifying, with recent amendments to the Cybersecurity Law (CSL) introducing stricter fines and more detailed liability provisions to align with the DSL and PIPL (Conventus Law). The penalties can be severe:
- Fines for data handlers violating core or important data requirements can reach up to RMB 50 million (approx. USD 7 million) or 5% of the previous year’s revenue for the most serious offenses.
- Business suspension, license revocation, and personal liability for directly responsible managers or officers.
- Aggravated penalties for repeat offenders or violations deemed to “seriously endanger national security.”
- Criminal liability for the illegal handling of core data, including potential imprisonment.
Notably, the amendments effective January 1, 2026, further align penalty structures with those found in the PIPL and strengthen the consequences for “material cybersecurity violations” (Hogan Lovells).
Self-Assessment Compliance Checklist for Foreign Companies
Use this checklist to evaluate your current compliance posture and prepare for a potential regulatory inspection:
- Have you classified your data assets in China according to DSL categories (ordinary, important, core)?
- Do you monitor sectoral catalogues for updates to “important data” definitions in your industry?
- Is core data stored exclusively in China, with transfer procedures approved by regulators?
- Do you conduct self-assessments and prepare documentation before any cross-border transfers?
- Have you mapped your data flows to identify all data leaving China or being accessed remotely?
- Are your contracts with suppliers, partners, and cloud providers updated to reflect DSL obligations?
- Do you have a process for responding to foreign law enforcement requests in compliance with Article 36?
- Are you prepared for a national security review for mergers, acquisitions, or restructuring involving data assets?
- Do you have an incident response plan for handling data breaches involving important or core data?
- Are your compliance and legal teams trained on DSL, CSL, and PIPL interplay?
For a more detailed compliance roadmap, see sector-specific guidance and consult with a bilingual legal advisor familiar with Chinese regulatory enforcement.
Common Pitfalls and Pro Tips
Despite widespread awareness of the DSL, many companies stumble over the following issues:
Pitfalls
- Assuming data not explicitly listed in a catalogue is “ordinary”—regulators can retroactively reclassify data as “important” or “core.”
- Underestimating the time and complexity of national security reviews—these can take months and may require detailed technical documentation in Chinese.
- Failing to monitor changes to sectoral guidance; Chinese regulators update definitions and requirements with little advance notice.
- Neglecting to update contracts and internal policies to reflect new obligations under the DSL and CSL amendments.
- Overlooking the need to localize cloud backups and secondary data copies if they contain important/core data.
Pro Tips
- Establish a cross-functional compliance team with Mandarin-speaking counsel experienced in Chinese regulatory procedures.
- Map your entire data lifecycle in China—collection, storage, processing, transfer, backup, and deletion.
- Engage with local regulators proactively, especially if your business is in a sensitive sector or you anticipate a merger/acquisition.
- Use bilingual documentation for all compliance-related processes and self-assessments to facilitate regulator communication.
- Track related laws (PIPL, CSL) and their amendments, as enforcement trends and definitions are harmonized across these statutes.
Conclusion & Next Steps
China’s Data Security Law (DSL) is sweeping in scope and evolving rapidly. If you handle any data in or from China, you must treat data classification, transaction controls, and national security reviews as central to your risk management. Start with a robust self-assessment, update compliance documentation, and engage with local counsel to address new regulatory developments. For further reading, review the Conventus Law summary and monitor sectoral guidance.
For more on related compliance topics, see our guide on China cloud storage compliance and our overview of enterprise collaboration tools in China.